TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
Kismet - The Easy Tutorial - 802.11 protocols

Kismet 802.11
Last update: 07-Dec-2010 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Kismet ?
Screenshots
Prerequisites
Installation
Configurations
Platform
802.11 Protocol
Logs
Wireless & Security

English spelling not yet checked!




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!


802.11 is a set of standards for WLAN (Wireless Local Area Network) defining Wireless data. It is currently mainly composed of three protocols: 802.11a, 802.11b and 802.11g.
A new protocol called 802.11n should be released in 2009. It is already implemented in some wireless card and access points in a draft state.

Protocol Release date Max rate [Mbit/s] Frequency [GHz]
802.11a 2001 54 5
802.11b 1999 11 2.4
802.11g 2003 54 2.4
802.11n 2009? 300 5 and/or 2.4
Note that this is not possible to reach the maximum data rate indicated by the manufacturers. In optimal conditions, about half this value can be reached for 802.11a/b/g and 1/3 for 802.11n.

It is not permitted to transmit Wireless data at any frequency, only some ranges around 2.4 Ghz and 5 GHz are allowed not to enter in conflict with other type of waves such as the one used for the mobile telephony (GSM) or the radio. Other rules are imposed to wireless hardware such as maximum transmission power.

Data can be transmitted through 13 channels. In a multi access-points environment, the channel number must be set carefully on each access point to avoid wave interference leading to poor transmission rate for the wireless users.

The wireless client devices communicate in two modes:
- Infrastructure:
- Ad-Hoc

The "infrastructure" mode is used when a wireless client such as a laptop is connected to a Wireless station called Access-Point. This mode is used most of the time. The "Ad-Hoc" mode is used when two hosts want to communicate directly between each other without traveling through an access point.



the 802.11 protocols operate at the layer 2 level of the OSI model and are composed of three different Wireless frame types:
- Control frames: Help the data frames delivery.
- Management frames: Establish and maintain wireless communications.
- Data frames: Transport the data.

Press the "p" key in the kismet main interface to see the captured wireless frames.

Management frames (Mx):

Kismet
Ma
MA
Mr
MR
Mp
MP
MB
MM
MD
Mt
MT
M?
Description
Association request
Association response
Reassociation request
Reassociation response
Probe request
Probe response (See example)
Beacon (See example)
ATIM
Disassociation
Authentication
Deauthentication
Unknown management frame
Physical (Control) frames (Px): (See example)

Kismet
Pt
PT
PA
Pc
PC
P?
Description
Request to send
Clear to send
Data Ack
CF End
CF End+Ack
Unknown phy frame
Data frames: (See example)

Kismet
DD
Dc
Dp
DP
DN
Da
PA
D?
Description
Data frame
Data+CF+ACK
Data+CF+Poll
Data+CF+ACK+Poll
Data Null
CF Ack
CF Ack+Poll
Unknown data frame
Check the wi-fiplanet website to get details about each frame type.



Here are examples of one control, data and management frames.

1.  Control Frame
2.  Data Frame
3.1 Management frame (Probe Response)
3.2 Management Frame(Beacon)


1. Frame control - Acknowledgement

Wireshark capture

wireshark wireless frame control

Tshark capture.

Frame 4 (10 bytes on wire, 10 bytes captured)
  Arrival Time: Feb 5, 2008 19:27:18.873416000
  [Time delta from previous captured frame: 0.000003000 seconds]
  [Time delta from previous displayed frame: 0.000003000 seconds]
  [Time since reference or first frame: 0.055028000 seconds]
  Frame Number: 4
  Frame Length: 10 bytes
  Capture Length: 10 bytes
  [Frame is marked: False]
  [Protocols in frame: wlan]
IEEE 802.11
  Type/Subtype: Acknowledgement (0x1d)
  Frame Control: 0x00D4 (Normal)
    Version: 0
    Type: Control frame (1)
    Subtype: 13
    Flags: 0x0
      DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
      .... .0.. = More Fragments: This is the last fragment
      .... 0... = Retry: Frame is not being retransmitted
      ...0 .... = PWR MGT: STA will stay up
      ..0. .... = More Data: No data buffered
      .0.. .... = Protected flag: Data is not protected
      0... .... = Order flag: Not strictly ordered
  Duration: 0
  Receiver address: Aironet_91:91:91 (00:40:96:91:91:91)
Top of the page     Frames menu



2. Data frame

Wireshark capture

wireshark wireless frame data

Tshark capture

Frame 11 (82 bytes on wire, 82 bytes captured)
  Arrival Time: Feb 5, 2008 19:27:18.937491000
  [Time delta from previous captured frame: 0.000029000 seconds]
  [Time delta from previous displayed frame: 0.000029000 seconds]
  [Time since reference or first frame: 0.119103000 seconds]
  Frame Number: 11
  Frame Length: 82 bytes
  Capture Length: 82 bytes
  [Frame is marked: False]
  [Protocols in frame: wlan:data]
IEEE 802.11
  Type/Subtype: QoS Data (0x28)
  Frame Control: 0x4188 (Normal)
    Version: 0
    Type: Data frame (2)
    Subtype: 8
    Flags: 0x41
      DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01)
      .... .0.. = More Fragments: This is the last fragment
      .... 0... = Retry: Frame is not being retransmitted
      ...0 .... = PWR MGT: STA will stay up
      ..0. .... = More Data: No data buffered
      .1.. .... = Protected flag: Data is not protected
      0... .... = Order flag: Not strictly ordered
  Duration: 44
  BSS Id: Cisco_50:50:50 (00:1c:0e:50:50:50)
  Source address: Aironet_91:91:91 (00:40:96:91:91:91)
  Destination address: 01:00:5e:fa:fa:fa (01:00:5e:fa:fa:fa)
  Fragment number: 0
  Sequence number: 3847
  QoS Control
    Priority: 0 (Best Effort) (Best Effort)
    Ack Policy: Normal Ack (0x00)
    Payload Type: MSDU
    Transmit Opportunity (TXOP) Limit Requested: 0x00
  CCMP parameters
    CCMP Ext. Initialization Vector: 0x000000001469
    Key Index: 0
Data (48 bytes)
 
0000 eb 4d b5 5b 64 db ba 0b 54 4f 76 2b 05 00 a3 eb .M.[d...TOv+....
0010 ce 67 3d e8 68 30 6f 7a 5a 13 cc 38 89 a5 46 84 .g=.h0ozZ..8..F.
0020 e6 eb 5f 46 33 4b 2a 31 c1 98 3b 56 2d ae 61 24 .._F3K*1..;V-.a$
Top of the page     Frames menu



3.1 Management Frame (Probe response)

The Wireless clients send probe requests to determine which access points are within range. The access points answer to the clients with information about their capabilities such as the network name (SSID), supported rates, AP name, AP manufacturer, etc...
If the AP is set
not to broadcast its SSID, it will answer to a probe request with a blank SSID field.

Wireshark capture

wireshark wireless frame mangement probe  response

Tshark capture

Frame 20275 (216 bytes on wire, 216 bytes captured)
  Arrival Time: Feb 5, 2008 19:37:51.688023000
  [Time delta from previous captured frame: 0.002035000 seconds]
  [Time delta from previous displayed frame: 0.002035000 seconds]
  [Time since reference or first frame: 632.869635000 seconds]
  Frame Number: 20275
  Frame Length: 216 bytes
  Capture Length: 216 bytes
  [Frame is marked: False]
  [Protocols in frame: wlan]
IEEE 802.11
  Type/Subtype: Probe Response (0x05)
  Frame Control: 0x0050 (Normal)
    Version: 0
    Type: Management frame (0)
    Subtype: 5
    Flags: 0x0
      DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
      .... .0.. = More Fragments: This is the last fragment
      .... 0... = Retry: Frame is not being retransmitted
      ...0 .... = PWR MGT: STA will stay up
      ..0. .... = More Data: No data buffered
      .0.. .... = Protected flag: Data is not protected
      0... .... = Order flag: Not strictly ordered
  Duration: 314
  Destination address: HonHaiPr_28:28:28 (00:1c:26:28:28:28)
  Source address: Cisco_c0:c0:c0 (00:0f:24:c0:c0:c0)
  BSS Id: Cisco_c0:c0:c0 (00:0f:24:c0:c0:c0)
  Fragment number: 0
  Sequence number: 1462
IEEE 802.11 wireless LAN management frame
  Fixed parameters (12 bytes)
    Timestamp: 0x00000C1BD675BB4C
    Beacon Interval: 0.102400 [Seconds]
    Capability Information: 0x0431
      .... .... .... ...1 = ESS capabilities: Transmitter is an AP
      .... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
      .... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000)
      .... .... ...1 .... = Privacy: AP/STA can support WEP
      .... .... ..1. .... = Short Preamble: Short preamble allowed
      .... .... .0.. .... = PBCC: PBCC modulation not allowed
      .... .... 0... .... = Short Slot Time: Short slot time in use
      .... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE
      .... .1.. .... .... = PWR MGT: STA will stay up
      .... 0... .... .... = Automatic Power Save Delivery: apsd not implemented
      ..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
      .0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented
      0... .... .... .... = Immediate Block Ack: immediate block ack not implemented
  Tagged parameters (180 bytes)
    SSID parameter set: "OPENMANIAK"
      Tag Number: 0 (SSID parameter set)
      Tag length: 11
      Tag interpretation: OPENMANIAK
    Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0
      Tag Number: 1 (Supported Rates)
      Tag length: 8
      Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0 [Mbit/sec]
    DS Parameter set: Current Channel: 6
      Tag Number: 3 (DS Parameter set)
      Tag length: 1
      Tag interpretation: Current Channel: 6
    ERP Information: no Non-ERP STAs, use protection, short or long preambles
      Tag Number: 42 (ERP Information)
      Tag length: 1
      Tag interpretation: ERP info: 0x2 (no Non-ERP STAs, use protection, short or long preambles)
    RSN Information
      Tag Number: 48 (RSN Information)
      Tag length: 20
      Tag interpretation: RSN IE, version 1
      Tag interpretation: Multicast cipher suite: TKIP
      Tag interpretation: # of unicast cipher suites: 1
      Tag interpretation: Unicast cipher suite 1: AES (CCM)
      Tag interpretation: # of auth key management suites: 1
      Tag interpretation: auth key management suite 1: WPA
      RSN Capabilities: 0x0028
      .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
      .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
      .... .... .... 10.. = RSN PTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
      .... .... ..10 .... = RSN GTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
    Vendor Specific: WPA
      Tag Number: 221 (Vendor Specific)
      Tag length: 24
      Tag interpretation: WPA IE, type 1, version 1
      Tag interpretation: Multicast cipher suite: TKIP
      Tag interpretation: # of unicast cipher suites: 1
      Tag interpretation: Unicast cipher suite 1: TKIP
      Tag interpretation: # of auth key management suites: 1
      Tag interpretation: auth key management suite 1: WPA
      Tag interpretation: Not interpreted
    Extended Supported Rates: 24.0 36.0 48.0 54.0
      Tag Number: 50 (Extended Supported Rates)
      Tag length: 4
      Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 [Mbit/sec]
    Cisco Unknown 1 + Device Name
      Tag Number: 133 (Cisco Unknown 1 + Device Name)
      Tag length: 30
      Tag interpretation: Unknown + Name: AP01 #Clients: 0
    Vendor Specific: Aironet Unknown
      Tag Number: 221 (Vendor Specific)
      Tag length: 6
      Aironet IE type: Unknown (1)
      Aironet IE data: 0100
    Vendor Specific: Aironet CCX version = 3
      Tag Number: 221 (Vendor Specific)
      Tag length: 5
      Aironet IE type: CCX version (3)
      Aironet IE CCX version?: 3
    Vendor Specific: Aironet Qos
      Tag Number: 221 (Vendor Specific)
      Tag length: 22
      Aironet IE type: Qos (4)
      Aironet IE QoS unknown 1: 0x00
      Aironet IE QoS paramset: 2
      CCX QoS Parameters??: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 10, TXOP 0
      CCX QoS Parameters??: ACI 1 (Background), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 10, TXOP 0
      CCX QoS Parameters??: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 4, TXOP 0
      CCX QoS Parameters??: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 3, TXOP 0
    Vendor Specific: WME
      Tag Number: 221 (Vendor Specific)
      Tag length: 24
      Tag interpretation: WME PE: type 2, subtype 1, version 1, parameter set 2
     

Tag interpretation: WME AC Parameters: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 4, TXOP 0

      Tag interpretation: WME AC Parameters: ACI 1 (Background), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 4, TXOP 0
      Tag interpretation: WME AC Parameters: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 3, TXOP 94
      Tag interpretation: WME AC Parameters: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 2, TXOP 47
Top of the page     Frames menu




3.2 Management frame - Beacon

Beacon Frames are sent regularly by access points to help wireless clients to identify them.

In the beacon frame body, information similar to those found in "probe response" is displayed, such as the network name (SSID), supported rates, AP name, AP manufacturer, etc ... .

In an idle network, beacons dominate all other traffic.
If the AP is set not to broadcast its SSID, it will send beacons with a blank SSID field such as in the capture below.

Wireshark capture

wireshark wireless frame management beacon

Tshark capture

Frame 21 (212 bytes on wire, 212 bytes captured)
  Arrival Time: Feb 5, 2008 19:27:19.309692000
  [Time delta from previous captured frame: 0.007605000 seconds]
  [Time delta from previous displayed frame: 0.007605000 seconds]
  [Time since reference or first frame: 0.491304000 seconds]
  Frame Number: 21
  Frame Length: 212 bytes
  Capture Length: 212 bytes
  [Frame is marked: False]
  [Protocols in frame: wlan]
IEEE 802.11
  Type/Subtype: Beacon frame (0x08)
  Frame Control: 0x0080 (Normal)
    Version: 0
    Type: Management frame (0)
    Subtype: 8
    Flags: 0x0
      DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
      .... .0.. = More Fragments: This is the last fragment
      .... 0... = Retry: Frame is not being retransmitted
      ...0 .... = PWR MGT: STA will stay up
      ..0. .... = More Data: No data buffered
      .0.. .... = Protected flag: Data is not protected
      0... .... = Order flag: Not strictly ordered
  Duration: 0
  Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
  Source address: Cisco_b0:b0:b0 (00:14:f2:b0:b0:b0)
  BSS Id: Cisco_b0:b0:b0 (00:14:f2:b0:b0:b0)
  Fragment number: 0
  Sequence number: 3348
IEEE 802.11 wireless LAN management frame
  Fixed parameters (12 bytes)
    Timestamp: 0x00000C1BD675BB4C
    Beacon Interval: 0.102400 [Seconds]
    Capability Information: 0x0431
      .... .... .... ...1 = ESS capabilities: Transmitter is an AP
      .... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
      .... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000)
      .... .... ...1 .... = Privacy: AP/STA can support WEP
      .... .... ..1. .... = Short Preamble: Short preamble allowed
      .... .... .0.. .... = PBCC: PBCC modulation not allowed
      .... .... 0... .... = Short Slot Time: Short slot time in use
      .... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE
      .... .1.. .... .... = PWR MGT: STA will stay up
      .... 0... .... .... = Automatic Power Save Delivery: apsd not implemented
      ..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
      .0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented
      0... .... .... .... = Immediate Block Ack: immediate block ack not implemented
  Tagged parameters (176 bytes)
    SSID parameter set: "\000"
      Tag Number: 0 (SSID parameter set)
      Tag length: 1
      Tag interpretation:
    Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0
      Tag Number: 1 (Supported Rates)
      Tag length: 8
      Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0 9.0 11.0(B) 12.0 18.0 [Mbit/sec]
    DS Parameter set: Current Channel: 11
      Tag Number: 3 (DS Parameter set)
      Tag length: 1
      Tag interpretation: Current Channel: 11
    Traffic Indication Map (TIM): DTIM 0 of 2 bitmap empty
      Tag Number: 5 (Traffic Indication Map (TIM))
      TIM length: 4
      DTIM count: 0
      DTIM period: 2
      Bitmap Control: 0x00 (mcast:0, bitmap offset 0)
    ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
      Tag Number: 42 (ERP Information)
      Tag length: 1
      Tag interpretation: ERP info: 0x0 (no Non-ERP STAs, do not use protection, short or long preambles)
    RSN Information
      Tag Number: 48 (RSN Information)
      Tag length: 20
      Tag interpretation: RSN IE, version 1
      Tag interpretation: Multicast cipher suite: TKIP
      Tag interpretation: # of unicast cipher suites: 1
      Tag interpretation: Unicast cipher suite 1: AES (CCM)
      Tag interpretation: # of auth key management suites: 1
      Tag interpretation: auth key management suite 1: WPA
      RSN Capabilities: 0x0028
      .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
      .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
      .... .... .... 10.. = RSN PTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
      .... .... ..10 .... = RSN GTKSA Replay Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (0x0002)
    Vendor Specific: WPA
      Tag Number: 221 (Vendor Specific)
      Tag length: 24
      Tag interpretation: WPA IE, type 1, version 1
      Tag interpretation: Multicast cipher suite: TKIP
      Tag interpretation: # of unicast cipher suites: 1
      Tag interpretation: Unicast cipher suite 1: TKIP
      Tag interpretation: # of auth key management suites: 1
      Tag interpretation: auth key management suite 1: WPA
      Tag interpretation: Not interpreted
    Extended Supported Rates: 24.0 36.0 48.0 54.0
      Tag Number: 50 (Extended Supported Rates)
      Tag length: 4
      Tag interpretation: Supported rates: 24.0 36.0 48.0 54.0 [Mbit/sec]
    Cisco Unknown 1 + Device Name
      Tag Number: 133 (Cisco Unknown 1 + Device Name)
      Tag length: 30
      Tag interpretation: Unknown + Name: AP02 #Clients: 1
    Vendor Specific: Aironet Unknown
      Tag Number: 221 (Vendor Specific)
      Tag length: 6
      Aironet IE type: Unknown (1)
      Aironet IE data: 0100
    Vendor Specific: Aironet CCX version = 3
      Tag Number: 221 (Vendor Specific)
      Tag length: 5
      Aironet IE type: CCX version (3)
      Aironet IE CCX version?: 3
    Vendor Specific: Aironet Qos
      Tag Number: 221 (Vendor Specific)
      Tag length: 22
      Aironet IE type: Qos (4)
      Aironet IE QoS unknown 1: 0x00
      Aironet IE QoS paramset: 2
      CCX QoS Parameters??: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 10, TXOP 0
      CCX QoS Parameters??: ACI 1 (Background), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 10, TXOP 0
      CCX QoS Parameters??: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 4, TXOP 0
      CCX QoS Parameters??: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 3, TXOP 0
    Vendor Specific: WME
      Tag Number: 221 (Vendor Specific)
      Tag length: 24
      Tag interpretation: WME PE: type 2, subtype 1, version 1, parameter set 2
     

Tag interpretation: WME AC Parameters: ACI 0 (Best Effort), Admission Control not Mandatory, AIFSN 3, ECWmin 4, ECWmax 4, TXOP 0

      Tag interpretation: WME AC Parameters: ACI 1 (Background), Admission Control not Mandatory, AIFSN 7, ECWmin 4, ECWmax 4, TXOP 0
      Tag interpretation: WME AC Parameters: ACI 2 (Video), Admission Control not Mandatory, AIFSN 2, ECWmin 3, ECWmax 3, TXOP 94
      Tag interpretation: WME AC Parameters: ACI 3 (Voice), Admission Control not Mandatory, AIFSN 2, ECWmin 2, ECWmax 2, TXOP 47

Top of the page     Frames menu





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!